Cloning iButton using RW1990 and AVR

Yesterday arrived my RW1990 keys I had ordered from aliexpress. They look the same as original iButton (DS1990A) but they hide one awesome feature: they are writeable so you can change their Serial Number! This is how I managed to write them white some cheap parts I had at hand.

My first steps with iButtons were done few weeks ago when I wrote a simple program to read them. Using some help on wikipedia and some elaboration with timing I managed to send command, reset and read response from connected 1-wire chip (later I also wrote a program to read 1-wire DS18B20 temperature sensor).

Wiring:

Everything is powered from USB so no external power is needed. The heart is a ATTiny2313 connected to USBasp programmer. USB to TTL serial adapter is used only for debug purposes. RW1990 is powered through 1k8 resistor which servers also as a pull-up. Communication with AVR is done via PORTB – PIN0. The socket for key is made from a paper clip and a clothes-peg.

Protocol

After a short googling, I have found a russian page describing the protocol. With some help from google translate I managed to implement and test it. RW1990 supports the same protocol as standard DS1990. In addition, it supports a new command – 0xD5 for changing the Serial Number. The most important information is, that you need a special procedure for writing. After some testing, I’ve found out that you don’t need to implement it exactly the same as described on mentioned page. This is the procedure I use:

send reset

wait for response

send Read Serial command (0x33)

read 8byte serial

wait 16ms

send reset

wait for response

send Write Serial command (0xD5)

write 8byte serial

send reset

wait for response

send Read Serial command (0x33)

read 8byte serial

Writing new serial number is performed in a special way. Probably due to the energy required for writing to internal memory, each bit is followed by 10ms high state on the bus. In addition, the “1” and “0” are inverted:

write “1” – level low, wait 60us, level up, wait 10ms

write “0” – level low, level up, wait 10ms

Programming

Source code is written in C and compiled using avr-gcc. You can find I on my github. This is example output of the program (captured through USB-TTL converter):